Service providers who provide network access to users typically implement access security for the network by putting in place and managing network access policies. Access security, when configured properly helps to protect both the user devices and the network itself from malicious attacks and abuses.
Various approaches have been taken to implement access security. One is to set common filtering rules for the entire enterprise or operator network. These rules or policies may be specific for the type of traffic, the specific services to be provided, or the user location, but does not take into account the identity of the users in the protected network nor the type of device being used for access. Many current application-aware firewalls and IDS/IPS (intrusion detection system/intrusion prevention system) systems have been developed according to this approach.
A more recent approach to managing security is to set security policy depending upon the identity of the user and/or the user's duties. In a network often there are different roles, functions or privileges assigned to each user. Consequently, it is possible to implement access security such that when a user accesses the network, the user is identified and the policies associated with the assigned role, function or privileges assigned to the user are then used to provide the security appropriate to that user. An example of this type of approach is the use of ACLs (access control lists), for role-based or user-based access controls. An authorized device may be utilized by any one of a number of various users for network access. Each user is subject to the network security policy determined by his or her identity. FIG. 1A illustrates this principle. Network access device 10 may be used to access a network 5 by a first user 20, second user 22, or third user 24, each of which have different identities, and may have different roles or privileges. The access device 10 accesses the network 5 through a security policy enforcement point (SPEP) 21 which typically is a security proxy which controls access and traffic in both directions. FIG. 1B illustrates a single user 20 accessing the network 5 using any one of a number of different access devices 10, 12, and 14 coupled to the network 5 through the SPEP 21. No matter which device 10, 12, 14 the user utilizes to access the network 5, since a single user 20 always maintains the same identity, the same role and the same privileges, the same security policies will be applied. Independent of these security policies, tools such as port-based access control 802.1x or IMEI (international mobile equipment identity) are used for the purposes of identification and/or authentication of the devices when used to access the network.
Despite the current state of security policy enforcement of network access, today's end-user can use any one of a number of different types of devices to connect to the access network. These types of devices include for example laptops, palmtops, tablet personal computers (PCs), personal data assistants (PDAs), and desktop computers. Each of these devices could have uniquely different hardware and software configurations and could have different versions of software applications and even operating systems installed on them. Therefore, each of the devices may be potentially vulnerable to specific exploits and attacks. The performance capabilities of these different devices may also be quite different from each other.
A network which provides support for robust user mobility ideally provides for end-user access to the network using any device and ideally would provide for dynamically providing security to a user's access when the user changes access device while maintaining the same user identity registered on the security policy enforcement point.
Known approaches to access security management do not address the situation when the end-user dynamically changes the device within the same premises under the same identity; for instance switches between different operating systems or between a PDA and a PC as a subscriber within the rich presence concept framework. Current systems which do not track these device changes remain unaware of them from a security policy perspective. Generic rules and policies or those based on the user's identity and his credentials of known systems do not provide an appropriate level of security according to the distinctive characteristics of the various devices or their configuration. For example, firewall/filtering rules even when being specific per user's identity (and corresponding credentials) do not take into account the type of the end-device that is used; instead they are based on the assumption that the devices are permanently of the same kind typical for the given network segment (for example desktop computers). As a result, an event, traffic or an end-user's action which is harmless in the conditions when the first device is used, can potentially be destructive for the other device or for the service, if not prevented by the security controls in the network. One example of this is the difference between a server (for example a PC) and a small portable network capable device (for example a PDA). The PC is quite capable to receive a large number of SYN packets per second while the PDA would be overwhelmed by the same traffic which the PC could easily deal with. A PDA security policy could set a limit to the number of SYN packets received per second which is much lower than the limit of SYN packets received per second in a PC security policy for a PC.